Heh - that's what Jeremiah said...
however... the article does state that the MiTM form *posted* into the
citibank application to authenticate the second factor.
This is the part that I was responding to - regardless of the phishing lure
the user saw - the form shouldn't have been able to post back into the
citibank authentication system successfully. It should have been DOA trying
something like that.
~Dain
-----Original Message-----
From: Brian Eaton [mailto:eaton.lists at gmail.com]
Sent: Monday, July 10, 2006 4:41 PM
To: Web Security
Subject: Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
On 7/10/06, dpw <dainw at fsr.com> wrote:
> For any mission critical applications, lately I have been using a
> server-side generated "magic hash" key that I generate when the form is
> loaded, and which gets posted along with my forms.
That's not a bad idea, but it wouldn't have helped here. This sounds
like classic MITM.
The two-factor authentication solution should reduce the damage from
this attack. The phishers probably made some cash from this scam, but
once the site was taken down the game was over. They shouldn't be
able to use the stolen passwords without the tokens to go along with
them.
Regards,
Brian
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]